Major Account Related Security Hole Discovered in RScript RSAuction Script
|
05-03-2007, 08:30 AM,
(This post was last modified: 05-03-2007, 09:10 AM by mandy.)
Post: #1
|
|||
|
|||
Major Account Related Security Hole Discovered in RScript RSAuction Script
Amy alerted me to this problem after she was alerted by another user. She was able to confirm the existence of this MAJOR account related security hole using a demo of the script.
I'm not going to post the details of this vulnerability in the open because I don't want to give hackers and scammers a free pass to wreak havoc on the dozens of auction sites using this script, but... If you're an RScript RSAuction site owner send me a PM and I'll fill you in on the nature of the problem. A major account related security flaw was discovered by a user. Another person replicated the steps that led to the discovery of the bug and was able to verify the existence of this major security hole using a current demo of the script. If you're an RScript programmer send me a PM and I'll give you the steps needed to replicate and confirm the existence of this major hole. You need to issue a patch immediately. PS for the person responsible for this bit of sloppy programming, a quote from reference.com Quote:Vulnerabilities often result from the carelessness of a programmer |
|||
05-03-2007, 09:38 AM,
(This post was last modified: 05-03-2007, 09:55 AM by mandy.)
Post: #2
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
The bug was first noticed on Wagglepop. The demo on the RScript site has the same bug therefore the problem most likely affects all sites using the script.
Other RScript sites: AtOncer BiddersNSellers Ewaey Lowbid OvernightAuctions PlunderHere TheAuctionMan and about 100 more. |
|||
05-03-2007, 02:56 PM,
Post: #3
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
I just reported the flaw to Secunia and gave them the details on how to verify it using the RScript demo.
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
05-03-2007, 08:40 PM,
Post: #4
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
The RScript demo is using the latest Version 2.73.1.5.1 version
|
|||
05-09-2007, 11:35 AM,
(This post was last modified: 05-09-2007, 12:23 PM by mandy.)
Post: #5
|
|||
|
|||
Secunia Issues Security Warning: Account Related Security Hole in RScript
[quote author=bargainbloodhound link=topic=10236.msg51940#msg51940 date=1178204209]
I just reported the flaw to Secunia and gave them the details on how to verify it using the RScript demo. [/quote] Secunia listened to you.  They issued an advisory today. Quote:Description: full advisory: http://secunia.com/advisories/25149/ EDIT: In the 6 days since I posted this quote... Quote:If you're an RScript RSAuction site owner send me a PM and I'll fill you in on the nature of the problem. ...ZERO RScript auction site owners have contacted me to find out the nature of the security hole - which says something about the importance they place on security on their sites. Wagglepop is reportedly a regular reader here and PlunderHere is a member - no contact from either one of them. |
|||
05-09-2007, 01:09 PM,
Post: #6
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
Quote:Secunia listened to you. Smiley They issued an advisory today. Nice job, you guys. Quote:...ZERO RScript auction site owners have contacted me to find out the nature of the security hole - which says something about the importance they place on security on their sites. Wagglepop is reportedly a regular reader here and PlunderHere is a member - no contact from either one of them. Not surprising considering who uses RScript. 8) |
|||
05-09-2007, 06:32 PM,
Post: #7
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
Quote:...ZERO RScript auction site owners have contacted me Worldauctions used it. Ebay sued them, they closed. Biduptoday used it. He had a baby, he closed.
OAI Moron Hall of Fame
<i>sell-thru is an irrelevant and illogical consideration.</i> -KaRay, owner of WP giving selling advice, 2006 <i>the site was 'NOT' hacked but the little script that had recipes on had the link altered</i> -Plunderhere Owner Mark Taylor after his site was hacked by a Chinese hacker gang, 2008 Some people have it like that, others dont. I do. -Probidscripts owner Spencer Osama Binweb Laden Ray bragging about his ability to scam the OAI without feeling any guilt, 2008. How does an auction site get buyers? -question asked at PSU by owner of auction site BidBeaver.ca, 2008 How do I get sales? -question asked at PSU by online store owner, 2009. I was told by my Tech. Support that my site dont really need SSL.. his servers are well protected and that info your providing to join aint really top secret information -owner of auction site TheTraderOutlet.com discussig his site's lack of basic security, 2009 |
|||
05-10-2007, 08:16 AM,
Post: #8
|
|||
|
|||
Re: Major Account Related Security Hole Discovered in RScript RSAuction Script
Suzanne the Site Admin at PlunderHere let me know that she wasn't made aware of the problem until yesterday and fixed the problem within hours of the time she learned of it. I used a test account that Suzanne setup to verify that PlunderHere has fixed the problem.Â
|
|||
05-22-2007, 10:33 AM,
Post: #9
|
|||
|
|||
Update: RScript issues patch for RSAuction Security Bypass
Update: RScript has issued a patch. Script users should update to version 2.73.1.5.2. to fix the security hole.
http://secunia.com/advisories/25149/ |
|||
« Next Oldest | Next Newest »
|
Users browsing this thread: